Trojan Scan

Trojan Scan is a simple shell script that allows for simple but relatively
effective checking for trojans, rootkits and other malware that may be using
your server and network for unwanted (and possibly illegal) purposes. Since
this script is relatively simple don’t expect it to catch them all, but it
helps to find these programs on e.g. shared servers. On those machines lots
of users install many kinds of applications. These applications may introduce
new vulnerabilities which would perhaps otherwise not be detected if not for
a very alert sysadmin.

It works by listing all process that use the Internet with the
lsof command (using -Pni flags).
This list is then transformed into signatures in the form of
<process_name>:<protocol>:<port_number_in>:<port_number_out>:<user>.
These signatures then are matched against the allowed process defined in the
configuration. If any signatures of running processes are found that do not
match the allowed signatures, an email report is sent including
ps,
ls, and optional lsof output
(see also: lsof).

The script is relatively easy in use:

Install into /etc/trojan-scan/trojan-scan.conf
and /usr/local/sbin/trojan-scan.sh

Use the following to generate a default configuration:
trojan-scan -C /etc/trojan-scan/trojan-scan.conf
, or,

Check, update and test configuration (test using -n flag to not send
emails),

Add to crontab using e.g:
*/5 * * * * /usr/local/sbin/trojan-scan.sh -F
This will run every 5 minutes, including full lsof listing in email
report. (NB: depending on the load of your server you may need to
increase this interval.)

Now that the script has support for inbound/outbound configuration, it may be
considered as too strict, since it requires you to either supply all programs
that use outbound connections such as e.g. DNS queries, request web pages or
email, or supply some rules that always allow some designated outbound
connections. For example to allow every user, every process to use DNS, use
the following rule:
ALLOWED=”$ALLOWED !@any@!:UDP:!@any@!:53:!@any@!”
However, this defeats any malware using UDP port 53 to communicate.

Test with:
/usr/local/sbin/trojan-scan.sh -n

Other flags:

-d

debug mode

-F

full output

-n

do not send email

-v

verbose mode

-x

shell debug

-C file

generate default configuration file (use - for stdout)

-f config

load configuration from this file

The current paths of the programs used (such as lsof, sed, awk, etc) can be
overridden in the configuration file by defining them just like in the program file (e.g. SED=/usr/bin/sed).

Please let us know when you use this program at info [replace-at] trojanscan [replace-dot] org.

Copyright (c) 2005,2007,2011,2013,2014 Derks.IT / Jeroen Derks

Licensed under the Apache License, Version 2.0 (the “License”);
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an “AS IS” BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.